Binary package hint: ufw
Some virtual server providers do not supply netfilter connection tracking as part of their kernel. Sometimes the kernels are monolithic as well. Contents of /proc/net/ is:
$ ls -l /proc/net
total 0
-r--r--r-- 1 root root 0 Oct 27 15:51 anycast6
-r--r--r-- 1 root root 0 Oct 27 15:51 arp
-r--r--r-- 1 root root 0 Oct 27 15:51 dev
-r--r--r-- 1 root root 0 Oct 27 15:51 dev_mcast
dr-xr-xr-x 2 root root 0 Oct 27 15:51 dev_snmp6
-r--r--r-- 1 root root 0 Oct 27 15:51 if_inet6
-r--r--r-- 1 root root 0 Oct 27 15:51 igmp
-r--r--r-- 1 root root 0 Oct 27 15:51 igmp6
-r--r----- 1 root root 0 Oct 27 15:51 ip_conntrack
-r--r----- 1 root root 0 Oct 27 15:51 ip_conntrack_expect
-r--r----- 1 root root 0 Oct 27 15:51 ip_tables_matches
-r--r----- 1 root root 0 Oct 27 15:51 ip_tables_names
-r--r----- 1 root root 0 Oct 27 15:51 ip_tables_targets
-r--r--r-- 1 root root 0 Oct 27 15:51 ipv6_route
-r--r--r-- 1 root root 0 Oct 27 15:51 mcfilter
-r--r--r-- 1 root root 0 Oct 27 15:51 mcfilter6
-r--r--r-- 1 root root 0 Oct 27 15:51 netstat
-r--r--r-- 1 root root 0 Oct 27 15:51 packet
-r--r--r-- 1 root root 0 Oct 27 15:51 raw
-r--r--r-- 1 root root 0 Oct 27 15:51 raw6
-r--r--r-- 1 root root 0 Oct 27 15:51 route
-r--r--r-- 1 root root 0 Oct 27 15:51 rt_cache
-r--r--r-- 1 root root 0 Oct 27 15:51 snmp
-r--r--r-- 1 root root 0 Oct 27 15:51 snmp6
-r--r--r-- 1 root root 0 Oct 27 15:51 sockstat
dr-xr-xr-x 2 root root 0 Oct 27 15:51 stat
-r--r--r-- 1 root root 0 Oct 27 15:51 tcp
-r--r--r-- 1 root root 0 Oct 27 15:51 tcp6
-r--r--r-- 1 root root 0 Oct 27 15:51 udp
-r--r--r-- 1 root root 0 Oct 27 15:51 udp6
-r--r--r-- 1 root root 0 Oct 27 15:51 unix
nf_conntrack is not listed, but should be. ufw should check for this and give a helpful error message.
This is the command that failed (with the ufw-before-input chain confirmed to exist):
# iptables -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables: No chain/target/match by that name